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1. INTRODUCTION 


1.1 THE EVOLUTION OF RISK MANAGEMENT 

Today, risk management is an indispensable element of a corporate governance 
system in world class organisations. Numerous reasons support the growing 
importance and profile of risk management, the most likely being the unprecedented 
levels of business complexity and the impact of globalisation. In addition, the number 
of high profile business failures in the last decade has played a significant role in 
elevating risk management as an important governance process. Enron, WorldCom, 
Parmalat and in South Africa Leisurenet and Regal Treasury Bank, Fidentia are 
some of these high profile business failures. 

Although risk management has risen in prominence in recent years, it is not a new 
phenomenon. However, it was only about a decade ago that organisations began to 
realise the value of risk management as an integral component of business 
operations and an important contributor to the sustainability of organisations and the 
protection of shareholder value. Until the early 1990s risk management tended to be 
equated with loss prevention through insurance buying or hedging of financial risk 
with derivatives. 

Since then the focus has shifted to an enterprise-wide risk management approach. 
This is a holistic, integrated, forward-looking and process-orientated approach to 
managing all key business risks, not just financial ones, with the intent of maximising 
shareholder value for the enterprise as a whole. It provides a whole new paradigm 
on risk management as illustrated below: 


Traditional Approaches 

New Paradigm 

Fragmented 

Integrated 

Negative 

Positive 

Reactive 

Proactive 

Ad hoc 

Continuous 

Cost-based 

Value - based 

Narrowly focused 

Broadly focused 


In South Africa, the Municipal Finance Management Act requires that the Accounting 


Officer maintain effective, efficient and transparent systems:- 


i) of financial and risk management and internal control; and 

ii) of internal audit operating in accordance with any prescribed norms and 
standards. 
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The Enterprise Wide Risk Management has been institutionalised in the public 
sector both in South Africa and all over the world. 


1.2 OBJECTIVES 

The objectives of this Risk Management Policy are to: 

i) Provide a level of assurance that current and emerging significant risks are 
effectively managed; 

ii) Improve municipality’s performance by assisting and improving decision 
making and planning; 

iii) Promote a more innovative, less risk averse culture in which the taking of 
calculated risks in pursuit of opportunities to benefit the organisation is 
encouraged; 

iv) Provide a sound basis for integrated risk management and internal control as 
components of good corporate governance; 

v) Establish a culture of Risk Management within the Municipality; 

vi) Effectively manage specific risks within the Municipality such as security and 
fraud and cormption; and 

vii) Ensure that the Municipality complies with legislation, policies, and regulatory 
requirements 

viii) Embed risk management into the culture and language of the Mhlontio; 

ix) Delineate boundaries regarding risk management within the Mhlontio; 

1.3 PURPOSE 

i) The purpose of this strategy document is to provide a risk management 
framework and guidelines to be followed within the Mhlontio Local 
Municipality (hereafter referred to as “Mhlontio”). 

ii) This documents sets out Mhlontlo’s Enterprise Risk Management Policy 
Framework. It describes Mhlontlo’s Risk Management: Policy, Objectives, 
Benefits, Principles, responsibilities and guidelines. 
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1.4 


DEFINITONS 


a) Risk -is the chance of something happening or not happening that will have an 
impact upon the objectives of Mhlontio and/or individual departments and/or 
divisions. Risk can also be defined as an uncertain future event (threats and 
opportunities) that could influence the achievement of the goals and objectives of the 
municipality. 

b) Risk Management - is a systematic approach to setting the best course of action 
under uncertainty by identifying, assessing, understanding acting on and 
communicating risk issues and opportunities. 

c) Enterprise Risk Management - is a continuous, proactive and systematic process 
effected by the Mhlontlo’s Council, Management and other personnel, applied in 
strategy setting and across the operations of the enterprise, designed to identify 
potential events that may affect the entity, and manage risk to be within its risk 
appetite reasonable assurance regarding the achievement of entity objectives.” It is 
a structured and consistent approach across the Municipality that aligns strategy, 
processes, people, technology and knowledge with the purpose of evaluating and 
managing the risks (threats and opportunities) that the Municipality faces to create 
stakeholder value, and or choices made under conditions of uncertainty, bound by 
acceptable levels of risks, designed to sustain/ maximise stakeholder value. 

d) Control Activities - policies and procedures established and implemented to help 
ensure the risk activities are effectively carried out. 

e) Inherent Risk- This is the product of the probability of occurrence and the severity 
of outcome, prior to control measures. 

f) Residual Risk- is the risk after considering the effectiveness of management’s risk 
responses (controls). 

g) Risk Assessment ■ The overall process of identifying, analysing and evaluating risk. 
The risk assessment process should consider risks that are significant to the 
achievement of the Municipality’s objectives. This is a continuous process, requiring 
regular reviews, as and when internal and external changes influence the 
Municipality’s strategies and objectives. 
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h) Risk Categories- is the grouping of risks with similar characteristics used in 
establishing the clients risk portfolio (see risk profile). Ultimately determined by the 
client, the characteristics used to define risk categories typically reflect the client’s 
business model, industry or other factor that derives risk within the organisation. 

i) Risk Appetite- the amount of risk taken in pursuit of value. 

j) Risk Strategy - the approach adopted for associating and managing risk based on 
the Municipality’s objectives and strategies. 

2. ACRONYM 


AO 

Accounting Officer (Municipal Manager) 

MHLONTLO 

Mhlontlo Local Municipality 

MFMA 

Municipal Finance Management Act 

AC 

Audit Committee 

RMC 

Risk Management Committee 




3. SCOPE 

This strategy document applies to all personnel within the Mhlontlo. 

4. LEGiSLATiVE REQUIREMENTS 

Since 2003 this practices has been further supported by the Municipal Finance 
Management Act which stipulates in section 62 that: 

“The Municipal Manager... .has and maintains effective, efficient and transparent 
systems: 

(i) of financial and risk management and internal control; and 

(ii) of internal audit operating in accordance with any prescribed norms and 
standards” 

The extension of the general responsibilities, in terms of section 79 of the MFMA, to all 
Top Management is a cornerstone in the institutionalization of risk management in the 
public service. It establishes responsibility for risk management at all levels of 
management, extending beyond the roles of the Accounting officer, the internal audit 
units or the Audit Committee in this regard. 


The King Report on Corporate Governance also reflects on risk management as an 
integral part of strategic and operational activities. King 1 1 code states “The Board is 
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responsible for the total process of risk management, as well as for forming its own 
opinion on the effectiveness of the process.” 


The institute of Internal Auditors defines risk as “the uncertainty of an event occurring 
that could have an impact on the achievement of objectives. Risk is measured in terms 
of consequences and likelihood.” 

Risk Management is more than an exercise of risk avoidance. It is as much about 
identifying and utilizing opportunities as avoiding or mitigating losses. 


4. RISK MANAGEMENT POLICY 

At Mhlontio, we are committed to optimal management of risk in order to achieve our 
vision, our principles tasks and key objectives and to protect our core values. 

The council of the Mhlontio has committed the organisation to a process of risk 
management that is aligned to the principles of the King II Report and the Municipal 
Finance Management Act 56 of 2003 (MFMA). The features of this process are outlined 
in this document. It is expected that all departments/ divisions, operations and processes 
will be subject to the prescripts of this risk management strategy. 

The council recognises that at Mhlontio, risk management is a complex and a diverse 
concept, and that there are many departments/divisions of the municipality working at 
managing risk exposures. It is the intention that these departments / divisions will work 
together in a consistent and integrated manner, with the overall objective of reducing 
risk, as far as reasonable practicable. 

The risk strategy considers various risk functions as it determines aspects such as risk 
tolerance limits and capital allocation processes. 

Different risk related or assurance provider functions will align their various goals and 
reporting processes into one cohesive and structured framework. All of the Mhlontlo’s 
business, financial, technological, legal and operational risk exposures, whether they are 
insurable or not, will be identified, assessed, and appropriately managed. 

All risk management efforts will be focused on supporting the Mhlontlo’s objectives. 
Equally, they must ensure compliance with relevant legislation, and fulfil the expectations 
of employees, communities and other stakeholders in terms of corporate governance. 
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Effective risk management is imperative to an entity with our risk profile. The realisation 
of our Integrated Development Plan depends on us being able to take calculated risks in 
a way that does not jeopardise the direct interest of stakeholders. Sound management of 
risk will enable us to anticipate and respond to changes in our environment, as well as 
take informed decisions under conditions of uncertainty. 

Every employee has a part to play in this important endeavour. 

5. BENEFITS OF RISK MANAGEMENT 

The benefits of municipality risk management to Mhlontio encompass: 

Aligning risk appetite and strategy - Management considers their risk 
appetite in evaluating strategic alternatives, setting related objectives and 
developing mechanisms to manage related risks. 

Enhancing risk response decisions - Municipality’s Risk Management 
provides the rigour for management to identify alternative risk responses- 
risk avoidance, reduction, sharing and acceptance. 

Reducing operational surprises and losses - Mhlontio faces a myriad of 
risks affecting different parts of the organisation. Municipality risk 
management facilitates effective responses to the interrelated impacts and 
enhances an integrated response to multiple risks. 

Seizing opportunities - By considering a full range of potential events. 
Management is positioned to identify and proactively realize opportunities. 
Improving deployment of capital - Obtaining robust risk information 
allows Management to effectively assess overall funding requirements and 
enhance allocation. 

Ensuring compliance with laws and regulations - Municipality Risk 
Management contributes to effective reporting and monitoring of compliance 
with laws and regulations and assists with the limitation of damage to 
Mhlontlo’s reputation and associated consequences. 

Increasing probability of achieving objectives - Municipality’s Risk 
management achieve Mhlontlo’s performance and financial targets and 
assist with the prevention of loss resources. Control and risk interventions 
will be chosen on the basis that they increase the likelihood that Mhlontio 
will fulfil its intentions/ commitments to its stakeholders. 
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Every employee of Mhlontio has a part to play in Municipality Risk 
Management. 


6. PRINCIPLES OF RISK MANAGEMENT 

The principles contained in this strategy will be applied at both strategic and operational 
levels within the municipality. The following principles have been identified to ensure that 
the risk management vision of the Municipality is achieved: 

• Risk management is part of everyday management; 

• Everyone is a risk manager; 

• Risk sharing (risk awareness); and 

• Risk cannot be eliminated but should be managed. 

Mhlontlo’s risk management strategy will be applied to all operational aspects of the 
municipality and will consider external strategic risks arising from or related to our 
partners such as government departments, the public and other external stakeholders. 
Our positive approach to risks management means that we will not only look at the risk 
of things going wrong, but also the impact of not taking opportunities or not capitalising 
on strategic strengths. 

All risk managements activities will be aligned to the Mhlontio values and principles, 
objectives and organisational priorities, and aims to protect and enhance the reputation 
and standing of the municipality. 

Our risk management approach will inform and direct our work to gain confidence on the 
reliability of our risk strategies and therefore provide assurance. Managers and staff at 
all levels will have a responsibility to identify, evaluate and manage or report risks, and 
will be equipped to do so. 

Risk Management in the municipality should be proactive and reasoned. Strategic and 
operational risks should be identified, objectively assessed, and where this is 
appropriate, response actively managed. 

The aim is to anticipate and where possible, prevent risks resulting in unwanted events 
rather than dealing with their consequences. However, for some risks where the 
likelihood of risk occurring is remote, but the consequences on the entity is high, we will 
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ensure that business continuity plans are developed and authorised by the municipal 
manager. This will allow us to contain the negative effect of unlikely events, which might 
occur. 

In determining appropriate risk management controls, cost of control, the impact of risk 
occurring will be balanced with the benefits of reducing risk. This means that we will not 
necessarily set up and monitor controls to counter risks where the cost and effort are 
grossly disproportionate to the impact or expected benefits. 

We also recognise that some risks can be managed by transferring them to a third party, 
for example by insurance. In the current climate it is rare to effectively / fully transfer 
risks by contracted arrangements. 

The underlying premise of Enterprise Risk Management (ERM) is that every entity exists 
to provide value for its stakeholders. 

All entities face uncertainty and the challenge for management is to determine how much 
uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both 
risk and opportunity, with the potential to erode or enhance value. 

ERM enables management to effectively deal with uncertainty and associated risk and 
opportunity, enhancing the capacity to build value. 

Value is maximised when management sets objectives to achieve an optimal balance 
between growth and related risks, and effectively deploys resources in pursuit of the 
entity’s objectives. 

7. RISK MANAGEMENT RESPONSIBILITIES AND STRUCTURES 

All personnel have a responsibility for maintaining good internal control and managing 
risk in order to achieve personal, workgroup and strategic objectives. Collectively, staff at 
operating units needs to have appropriate knowledge, skills, information and authority to 
establish, operate and monitor the system of risk control. This requires a good 
understanding of the municipality, its objectives, the risks it faces and the people we deal 
with. Everyone should be aware the risks they are empowered to take, which should be 
avoided and reported upwards. 

The structures through which risk management will be reported are set out below. 


Detailed guidelines on roles and responsibilities are provided in Appendix A. 

10.1 

Committee Responsibilities 



Ref 

Activity 

Responsibility 

Frequency 
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Ref 

Activity 

Responsibility 

Frequency 

1. 

The Audit Committee will meet on 
quarterly basis. 

Committee 

Chairperson 

Quarterly 

2. 

The Risk Management Committee 
will review risk management 
progress on a quarterly basis. 

Municipal Manager 

Quarterly 

3. 

The department/ divisions 

Management committees will meet 
on a quarterly basis. 

Strategic Directors/ 
Directors 

Quarterly 


10.2 Reposting Responsibilities 


Ref 

Activity 

Responsibility 

Frequency 

1. 

The Audit Committee will include 
statements regarding risk 

management performance in the 
annual report to stakeholders. 

Committee 

Chairperson 

Annually 

2. 

The Risk Management Committee 
will submit a risk management 
report to the Audit committee on a 
quarterly basis. 

The report will focus on the 
following: 

The top strategic risks 
facing MHLQNTLQ (All 
unacceptable residual risk 
exposures) 

The strategic risks per 
department/division 
(approximately top 10 
identified risks); and 

Any risk developments 
(changes) / incidents/ losses 

Municipal Manager 

Quarterly 

3. 

Each department/ division will draft 
a risk management report for 
submission to the Risk 
Management Committee on a 
quarterly basis. 

This will focus on the following: 

The strategic risks per 
department/ division 

(approximately top 10 
identified risks); and 

Any risk developments (changes)/ 
incidents/ losses 

Directors 

Quarterly 


1 0.3 Risk Assessment Responsibilities 
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Ref 

Activity 

Responsibility 

Frequency 

1. 

The council will independently 
review the key risks of MHLONTLO 
at least once a year. 

Executive Mayor 

Annually 

2. 

The Risk Management Committee 
will arrange for MHLONTLO’s key 
risks to be formally re- evaluated 
once a year. 

Municipal Manager 

Annually 

3. 

Each departments/ divisions 
Management Committees will 
formally reassess the top 20 risks 
annually (in their environment) and 
report on the top 10 risks. 

Directors 

Annually 

4. 

All committees will review risk 
registers at each meeting and 
update the register’s contents to 
reflect any changes without formally 
reassessing the risks. 

All 

As scheduled 


10.4 Control Responsibilities 


Ref 

Activity 

Responsibility 

Frequency 

1. 

The Chairperson of the Audit 
Committee will consider Internal 
Audit and management’s report 
concerning the effectiveness of 
internal controls at least once a 
year. 

Audit Committee 
Chairperson 

Annually 

2. 

The Risk Management Committee 
will report to the Audit Committee 
regarding the performance of 
internal controls for those risks in 
the risk registers. 

Municipal Manager 

Quarterly 

3. 

The departments/ divisions will 
report to the Risk Management 
Committee regarding the 

performance of internal controls for 
those risks in the operational risk 
registers. 

Directors 

Quarterly 

4. 

All risk registers will contain action 
plans for improving risk controls and 
risk interventions. Each committee 
will review progress made with 
these action plans. 

All 

As scheduled 


10.5 Governance Responsibilities 


Ref 

Activity 

Responsibility 

Frequency 

1. 

Each key risk will have a nominated 
risk owner, who will be responsible 
for the following 

All 

As scheduled 
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Ref 

Activity 

Responsibility 

Frequency 


Updating the risk 

information; 

Providing assurance 

regarding the risk’s controls; 
Co-ordinate the 

implementation of action 
plans for the risk; 

Reporting on any 

developments regarding the 
risk. 



2. 

The internal audit function will use 
the outputs of risk assessments to 
compile its strategic three year 
rolling and annual internal audit 
coverage plan, and will evaluate the 
effectiveness of risk controls. 

Internal Audit 

Annually and as 

scheduled 

3. 

The Internal Audit Function will 
review the effectiveness of 
MHLONTLO’s risk management 
processes while executing their plan 
and submit their reports to the Audit 
Committee for consideration. 
Internal Audit will also submit an 
updated summary of their findings 
for the whole year and submit to the 
Audit Committee. 

Internal audit 

Annually 


8. APPENDIX A- RISK MANAGEMENT GUIDELINES 


A. Risk Management Guidelines 

A.1 Accountability and responsibility guidelines 

A1.1 Roles and responsibilities of the Management 

A.1 .1.1 The management is accountable for risk management. The management’s responsibilities for 
the management of risk within the municipality are stated as follows: 

The Municipal Manager and Heads of departments are responsible for the identification 
of strategic risks, the total process of risk management, as well as for forming its own 
opinion on the effectiveness of the process. Management is accountable to the council 
for designing, implementing and monitoring the process of risk management and 
integrating it into the day-to-day activities of the municipality; 
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The Municipal Manager and Heads of Departments should identify and fully appreciate 

the business risk issues and key performance indicators affecting the ability of the 

Municipality to achieve its strategic purpose and objective; and 

The Municipal Manager and Heads of departments should ensure that appropriate 

systems are in place to manage the identified risks, measure the impact and to 

proactively manage it, so that the Municipality’s assets and reputation are suitably 

protected. 

Management is accountable to the Municipal Manager for designing, implementing and 
monitoring the process of risk management and integrating it into the day-to-day 
activities of the municipality. 

More specifically Management is responsible for: 

• Designing an Enterprise Risk Management programme; 

• Deciding on the manner in which risk mitigation will be embedded into management 
processes; 

• Inculcating a culture of risk management in the municipality; 

• Providing risk registers and risk management reports pertaining to risk and control; 

• Identifying positive aspects of risk that could evolve into potential opportunities for 

the municipality; 

• Assigning a Manager to every key risk for appropriate mitigating action and to 
determine an action date; 

• Viewing risk as an opportunity by applying the risk / reward principle in all decisions 
impacting upon the Municipality; 

• Utilising available resources to compile, develop and implement plans, procedures 
and controls to effectively manage the risks within the municipality; 

• Ensuring that adequate and cost effective risk management structures are in place; 

• Identifying, evaluating and measuring risks and where possible quantifying and 

linking each identified risk to key performance measurement indicators; 

• Developing and implementing risk management plans including; 

0 Actions to optimise a risk / reward profile to maximise reward with risk 
contained within an approved risk tolerance; 

0 Implementation of cost effective preventative and contingent control 
measures; and 
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0 


Implementation of procedures to ensure adherence to legal regulatory 
requirements. 

Monitoring of the ERM processes on both a detailed and macro basis by evaluating 
changes, or potential changes to risk profiles; 

Implementing and maintaining adequate internal controls and monitor their continued 
effectiveness; 

Implementing those measures as recommended by the internal/ external auditors, which, 

in their opinion, will enhance control at a reasonable cost; and 

Reporting to the Audit Committee on the risk process and resultant risk/ reward profiles. 


A.1.1.2 The Municipal Manager will provide stakeholders with assurance that key risks are 
properly identified, assessed, mitigated and monitored 

The Municipal Manager should receive credible and accurate information regarding the 
risk management processes of the municipality in order to give the necessary assurance 
to stakeholders. The reports from the Audit committee and Management Committees 
must provide an evaluation of the performance of risk management and internal control. 
The Municipal Manager should ensure that the various processes of risk management 
cover the entire spectrum of strategic risk. 

The assurance process includes statements regarding the appropriateness of the 
Municipality’s risk/ reward trade-off. 

Because of the fluid nature of risk in the municipality, it is imperative that risk is 
confronted in a systematic and structured manner. In our complex environment where 
there are literally thousand of technical, process and strategic risks, it is vital that the 
management of risk is undertaken in a formalised manner. The Municipal Manager 
should provide stakeholders with the assurance that management has a pre-emptive 
approach to risk. 

The Municipal Manager must ensure that there is a future- looking orientation included in 
the consideration of risk. 

A.1.2 Roles and responsibilities of Council 
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A.1.2.1 The council will formally evaluate the effectiveness of the municipality’s risk 
management process once a year. 

The Council will make a decision regarding the effectiveness of the Municipality’s risk 
management processes. Success with risk management will be evaluated from risk 
committee reports, variance reports, and speed of progress, organisational risk culture, 
unexpected losses, internal control effectiveness and business success. The council 
evaluations will be formally recorded in minutes of council meetings. 

It is recognised that risk management has involved into a complex management 
discipline in its own right. The council’s evaluations of risk management, therefore, will 
be supplemented by an independent review to be performed by the Municipality’s audit 
committee. 

Sufficient independence will be maintained in conducting the annual review. Assurance 
of the processes surrounding key risks must be given. This implies some knowledge of 
the processes of risk management and assumes that they have been witnessed to some 
degree. The observation of risk management processes should not, therefore, have had 
operational participation. 

A.1.2.1 The Council will confirm that the risk management process is accurately aligned to the 
strategy and performance objectives of the municipality. 

The Council will ensure that the risk management processes address risk in a balanced 
way, giving due attention to all types of risk. The Council will evaluate whether 
appropriate resources are being applied to the management of strategic risks, 
reputation, stakeholder risk, financial risk, operational, regulatory, and technical risks. 

The Council will evaluate whether risk management processes are aligned to the 
strategic and performance objectives of the municipality. A balanced perspective of risk 
management is required in proportion to the weighting of potential risk impact across the 
municipality. 

A.1.3 The Audit Committee will monitor the entity’s risk management processes 
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The Audit Committee will be responsible for addressing the corporate governance 
requirements of risk management and monitoring the municipality’s performance with 
risk management. 

A.1.4 Risk Management Committee 

Functions and responsibilities of the risk management committee include: 

• Establishment and monitoring of the implementation of the Risk Management 
Strategy or Plan; 

• Ensuring that the responsibilities and co-ordination of risk management are clear; 

• Advising the Municipal Manager on urgent risk management issues and required 
initiatives as part of its quarterly reporting process; 

• Overseeing the implementation and maintenance of the ongoing process of risk 
identification, quantification, analysis and monitoring throughout the municipality; 

• Ensuring that the risk management induction, training and education programs are 
targeted appropriately for all levels of personnel and that it is established and 
implemented; 

• Reviewing and recommending actions for improvement regarding outstanding 
actions on risk management plans; 

• Evaluating the risk profile of the Municipality as well as for major projects and new 
ventures, requiring the approval of the council; 

• Reviewing issues for consideration as identified by the council and Audit Committee; 

• Assist with the development of an integrated approach to financing and managing 
risk to minimise cost; 

• Facilitating the sharing of post loss analysis information and thereby improving 
prevention and control measures; 

• Reviewing the risk management on a quarterly basis to take note of the material 
risks to which the Municipality may be exposed and consider, notes and if 
necessary, comments on the strategy for managing those risks; and 

• Keeping abreast of all changes to the risk management and control system and 
ensures that the risk profile and common understanding is updated, as appropriate. 

A.2 Reporting requirements 
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A.2.1 Internal reporting processes for risk information 

A tired structure of risk reporting should be followed and should include amongst others: 

• Each department / division is required to submit the Top 10 strategic risk register to 
the Risk Management Committee on a quarterly basis; 

• The Risk Management Committee is required to submit the top strategic risks (all 
identified risks with unacceptable risk exposures) and the top 10 risks per 
department / division to the Audit Committee on a quarterly basis. These strategic 
risks should include residual risk status and actions to be taken to further mitigate 
the risk consequences; and 

A.2.2 The frequency of risk monitoring 

The risk registers should indicate how often a key risk should be monitored and reviewed. 
In the realm of financial risk the exposures may be monitored on a continual basis. Other 
risks such as regulatory change may only need formal review once a year. For the majority 
of business risks it is important to choose monitoring periods that span between 1- 3 
months. 

Risks with an unknown pattern and risks that are new to the Municipality, should receive 
more frequent attention. The results of monitoring processes will be documented in a 
defined format. 

A.2.3 Incident reports will be generated for unacceptable losses 

This is an internal management function. The destination of incident reports will be 
determined by the nature of the loss, but losses that originate from risks contained in the 
key risk registers should always be elevated to higher levels of management. Variance 
reports are incorporated into routine management reporting processes. The inclusion of 
risk-related variances can be incorporated. 


A.3 Risk Assessments 
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Once every two years, the MHLONTLO will undertake a through reassessment of its risks 
at all levels. 

A risk assessment is the process by which the risks to be managed in an organisation are 
identified. Comprehensive identification using well structured systematic process is critical, 
because risks not identified are never further analysed and potentially are not managed. 
There are many different processes and methodologies in use by which risks can be 
identified i.e. risk workshops, interviews, questionnaires and surveys, research. 

At a minimum a risk assessment should result in: 

• Identification of relevant risks towards the achievement of objectives; and 

• The prioritisation of risk, which often necessitates estimating the timing, magnitude and 
probability of risk occurrence. 

The first part of carrying out a structured risk assessment is to profile the key building 
blocks of the Municipality. This will highlight dependencies, critical parts of the business 
and start to pinpoint vulnerabilities. 

The OR Tambo District Municipality Risk Management Process is depicted below: 
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Set out below is a discussion on each element of the process 


A.3.1 Establish the context 

The risk assessment processes begin with the profiling of the Municipality context. The 
outputs of this task must be documented and should include amongst others: 

• Business environment; 

• Total size of the core/ support services; 

• Key players; 

• Stakeholder’s driving forces. 

Establishing the context is a pre requisite to the process of identifying risks in any given 
situation. Establishing the context is about placing a boundary around the subject matter 
that is being subjected to the risk management process. Contexts can be entire 
businesses, functions, departments, processes, projects, activities, specific business 
decisions that must be taken and the like. In setting the context, consideration must be 
given to: 

• the business objectives of the subject matter that is being covered; 

• the purpose, scope and depth of the risk management process to be applied; 

• the time horizon to be covered for risk identification purposes; 

• establishing the roles and responsibilities of the various people and 

• parts of the organization participating in the risk management process; 

• subdividing the subject matter into a set of elements in order to provide a logical 
framework that helps ensure that significant risks are not overlooked; and 

• deciding the criteria against which risks will be evaluated 

A.3.2 Identify risks 

The purpose of risk identification is to identify all risks within the context established above. 
The aim is to generate a comprehensive list of risks that might have an impact on the 
achievement of each of the objectives identified in the context phase above. 

These events might prevent, delay or enhance the achievement of those objectives. 
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In this regard, risks identified should not only be events that could hinder/threaten the 
achievement of objectives but also events that could have a positive effect on the 
achievement of objectives. 

Comprehensive identification using a well structured, systematic process and involving the 
right people is critical, because a risk not identified at this stage may be exciuded 
from further anaiysis. Risk identification should include all risks irrespective of whether or 
not they are under the control of the municipality. 

A.3.3 Analyse risks 

This phase covers the following elements: 



Determine risk level 


Each of these elements is dealt with below. 

risk exploration (understanding the causes and consequences of identified risks) 

The purpose of risk exploration is to understand the causes and consequences of the 
identified risks. In the absence of a precise understanding of the cause of a risk one is 
unable to design effective preventative control measures to manage the cause. Similarly, 
in the absence of a precise understanding of the nature of the consequences of a risk one 
is unable to accurately measure the impact that the risk may have nor implement effective 
corrective control measures to manage the impact. 

controls evaluation (evaluating existing risk treatment controls) 

This involves obtaining an understanding of the existing preventive and corrective controls 
currently in place to treat the risk together with the operating effectiveness of those 
controls. This information is vital for accurately assessing the residual risk level which is 
covered below. 

determine risk level (measuring the impact and likelihood levels of identified risks) 
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Risk assessment involves assessing the magnitude of the consequences of a risk, should 
it occur, and the likelihood of the event occurring. This consequence and likelihood is 
combined to produce a risk level. The risk assessment tool set out in Annexure B should 
be used to facilitate this process. Based on this tool, any given risk will be assessed at one 
of [5] levels. 

Two types of risk assessments could be performed, namely qualitative and quantitative. 
Qualitative assessments are used where risks do not lend themselves to quantification or 
when either sufficient credible data required for a quantitative assessment is not practically 
available or a quantitative assessment is not cost-effective. Qualitative assessments are 
typically based on subjective views of individuals. The following are some of the 
information sources when performing a qualitative assessment: 

• Past incidents and experience; 

• Published literature; 

• Consultations with stakeholders; and 

• Expert judgements 

Quantitative techniques involve the use of mathematical models, bring more precision and 
are typically used in more complex and sophisticated activities to supplement qualitative 
techniques. 

It should be noted that qualitative assessments will suffice for the vast majority of risks. 
Risks are normally assessed at an inherent level and at a residual level. It is accepted, 
however, that in certain contexts the inherent risk assessment will not add value and that 
only a residual assessment is performed. 

The inherent assessment is an assessment of the level of risk before the evaluation of 
existing risk treatment controls has been considered. 

The residual risk assessment is an assessment of the level of risk after risk treatment 
controls have been evaluated. 

A.3.4 Evaluate risks 

The purpose of risk evaluation is to make decisions, based on the outcomes of risk 
analysis, about which risks need treatment as well as well as risk treatment priorities. 
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Risks assessed as Level 1 risks will receive the highest priority, followed by levels 2 to 9 
respectively. Individual risks or an aggregation of common risks at level [1 and 2] will 
generally be considered as beyond the MHLONTLO risk tolerance level and therefore risks 
at these levels must be considered for further treatment. 

Each business unit and corporate function will need to set their own tolerance levels based 
on their unique circumstances. However, these tolerance levels will need to be aligned 
with the group tolerance levels. 

A.3.5 Treat risks 

Risk treatment involves identifying and evaluating the range of available options for 
treating a risk and the preparation and implementation of appropriate treatment plans. 


A.3.5.1 Available options 

Avoidance - Exiting the activities giving risk to the risk. Examples include: 
disposing of a business or a component part 

deciding not to proceed with the project/activity that gives rise to the risk 
Reduction - Action is taken to reduce the impact or likelihood, or both. Examples include: 
establishing limits of authority; 
introducing new internal control measures 

Sharing - Reducing risk likelihood or impact by transferring or sharing a portion of the risk 
with third parties. Examples include: 

purchasing insurance products 
engaging in hedging activities 

Retaining the risk - Some level of residual risk will always be retained after the 
implementation of risk treatment plans and management will need to decide whether the 
remaining risk level is acceptable or not. 

Selecting the most appropriate response or a combination of responses involves, amongst 
other things, balancing the costs of implementing the treatment against the benefits to be 
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derived. The cost of managing a risk must be commensurate with the benefits to be 
derived. 

Preparing and implementing risk treatment plans 

The purpose of risk treatment plans is to document how the chosen options will be 
implemented. The treatment plans should include: 

• proposed actions; 

• resource requirements; 

• responsibilities; 

• timing; 

• performance measures; and 

• reporting and monitoring requirements 

A.3.6 Monitor and review 

Any risk profile will change over time. Risk treatment plans that were once effective may 
become irrelevant; control activities may become less effective, or no longer be performed; 
business objectives may change or regulatory requirements may change. 

This can be due to the arrival of new personnel, changes in the business structure or 
direction, the introduction of new systems and processes or developments in the external 
environment. 

In the face of such changes, management needs to continually monitor the effective 
functioning of the risk management process. This monitoring should occur in the normal 
course of management activities. 

The following monitoring mechanisms should be implemented: 

A.3.7 Monitoring of impiementation of risk treatment pians. 

Action plans to develop and implement risk treatment plans need to be monitored to 
ensure that the necessary plans are implemented on schedule and as intended. 

This monitoring process should be embedded within the normal day to day monitoring 
processes already in place within the business e.g. departmental meetings, management 
meetings, etc. 

Internal audit will also evaluate the status of action plans for significant risk exposures as 
part of their routine audits. 
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A.3.8 Monitoring of ongoing effectiveness of risk treatment controis 

The effective operation of risk treatment controls must be evaluated on an on-going basis. 
Each functional area within the municipality will need to develop its own plans as to the 
frequency and scope of these reviews taking into account, inter alia, legal and regulatory 
requirements. These reviews may include management reviews, self-assessment reviews 
and third party reviews as appropriate. Internal audit will also perform an independent 
review of selected risk treatment controls. 

A.3.9 Identification and assessment of new/ emerging risks 

There is a need to regularly review risk registers to ensure that they remain relevant and 
complete. This applies to strategic, functional/departmental and process level risk 
registers. 

It is a group requirement that this review is formally done at least twice annually across all 
areas of the business. However, the occurrence of any one or more of the following events 
should trigger the need for an immediate review: 

• Changes in business strategy 

• Legal & regulatory changes 

• Restructuring of the business or departments or processes or major changes to 
people, processes and technology 

• Loss of key personnel 

• Significant control deficiencies identified by internal and/or external auditors 

• Incidences of fraud 

• Legal liabilities and challenges 

• Changes to business objectives 

• Changes to key performance indicators 

A.3.10 Monitoring of the effectiveness of the risk management process as a whoie 

The efficacy of the entire risk management process needs to be reviewed on a periodic 
basis. 

The Internal Audit department will be responsible for performing such review and providing 

assurance that the risk management process has been applied appropriately across the 

organization and that all elements of the process are suitable and sufficient. 
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A.3.11 Risk reporting 


The essence of risk reporting is that the right people must receive the right information at 
the right time. 

Risks at all levels must be reported internally (formally and informally) at different levels 
within the municipality. Each department or division will need to develop its own reporting 
framework taking into account existing management reporting processes and legal and 
regulatory requirements. 

A.4 Control requirements 

Every risk will have a number of controls, mitigations or interventions that have been 
designed to contain the potential impact or likelihood of the risk. These controls need to be 
identified and evaluated. They will form the basis of an assurance plan to the Council and 
Municipal Manager, and may be tested by the internal audit process or other independent 
means of evaluation. 

The following aspects of the control environment should be considered: 

A.4.1 Verify and evaluate the controls currently in place for the key risks 

It is important that all of the existing controls for identified risks are in turn identified and 
evaluated. Such controls may take the form of policies, procedures, management activities 
and instructions. The controls must be evaluated in two essential ways. 

Firstly, an evaluation of the appropriateness and adequacy of the existing controls for the 
risk must be undertaken. 

Secondly, the performance of the existing controls must be evaluated. 

Desired levels of control effectiveness must be determined. The gap between existing 
control effectiveness and desired effectiveness must result in an action plan. 

A.4.2 Evaluate the strategic mitigations in place for key risk 

A specific review of the Municipality’s strategic position in the context of risk must be 
carried out. The Municipality’s ability to liquidate its positions must be assessed. The 
degree of strategic flexibility in response to a risk event must be considered. 

The robustness of the strategy in the context of the risk assessment findings must be 
evaluated. Likely strategic responses to risk and their performance are aspects that must 
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be fully understood. This process may require separate processes of scenario planning 
around strategic Intent. 

A.4.3 Identify and evaluate the post-event measures in place for response to risk 

The ability of the Municipality to respond to a risk event must be evaluated In detail, and 
the result recorded as a control In the register. Post- event measures Include crisis 
management capabilities, emergency planning, and business continuity plans contingency 
planning. These responses should Incorporate planned measures that cover the basic 
types of managerial response, such as finance, people, technology and customers. 

The criteria for performance will Include speed response, comprehensiveness of response 
and degree of readiness. 

A.4.4 Review the financiai risk protection measures in piace to respond to the consequences of 
risk events. 

The Municipality’s risk finance measures Include an Insurance portfolio, self- Insurance 
policies and funds, financial provisions, and operating budgets for the funding of losses or 
variances. Management must compare the results of risk assessment processes with the 
current risk finance arrangements. 

This will highlight the net financial effect of risk events upon the Municipality. It will also 
Influence the decisions relating to the structure of risk finance. Certain risks may be 
deemed Intolerable and may require a self-insurance facility or provision to manage the 
risk. Low risk may lead to greater risk retention limits. 

A.4.5 Verify the ieveis of compiiance with reguiatory requirements 

Adherence to legislation and regulatory frameworks Is not negotiable. It Is essential that 
risk related requirements are Incorporated Into control frameworks. Relevant requirements 
must be verified. It Is the responsibility of management to build compliance processes 
around these requirements. Any material breaches must be reported as deemed 
appropriate through the structures of reporting developed for this. 

Having ascertained the suitability, appropriateness and effectiveness of risk controls’ 
management will decide upon further action plans for actual and possible risks. 
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A.4.6 Take decisions on the acceptabiiity of identified risk and controis 

A district and conscious process of decision-making for each key risk must be made taking 
into consideration the risk tolerance levels for the entity. The decisions made for every key 
risk must be recorded. Decision options include the possibility to tolerate/ accept, treat/ 
reduce, transfer/ share or terminate/ avoid risks. The potential impact upon strategic and 
operational objectives will influence the outcomes of decision-making processes. 

When taking a decision care should be taken when taking any action that could: 

• Results in serious injury or fatality; 

• Result in significant harm to the environment; 

• Impact on the reputation of the municipality; 

• Impact on the performance of the municipality; 

• Result in a fine by regulatory authorities; and or 

• Undermine the independent and objective review of activities. 

Possible prohibited risk areas include the following 

• Changes that could result in regulatory breach; 

• Fraud and corruption; 

• Theft of the Municipality property; and 

• Access to the property by unauthorised personnel. 

Any of the above would constitute unacceptable risk. 

A.4.7 Document your action plans for risk mitigation 

The action for improving or changing risk mitigation measures must be documented in the 
risk registers. 

It is important that a process of tracking progress made with risk interventions is followed. 
Such a process provides a trail of information that may prove to be necessary at some 
future stage. 

Good governance practices would expect this. Because risk is often a process of 
perception, misunderstandings can arise where no record is kept. 

The action plans must be unambiguous and provide target dates and names of 
responsible persons. A process of follow - through must be used. 

A.4.8 Use the outputs of risk assessments for budgeting and capital allocation processes. 
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It is important that risk information is factored into budgeting decisions. The variability of 
budgeted targets must be considered, and one must assume that the risks associated with 
key Municipality objectives in the budgets have been evaluated as part of risk assessment 
process. 

Considerations around budgeting should also be put in the context of cost -of- risk 
evaluation. 

A.5 Governance requirements 

A.5.1 Establish an organisational framework of assurance for key risks and controls. 

A framework of assurance must be developed for your risks. Key players in the 
Municipality will combine to provide assurance to the Council and Municipal Manager that 
risk s are being appropriately managed. 

This combined approach to assurance normally involves external, auditors, internal auditor 
and management working together through the audit / risk committee. 

Other experts should be should be chosen to provide assurance regarding specialised 
categories of risk, such as environment management. The assurance framework must be 
formalised and should incorporate appropriate reporting processes. 

A.5.2 Internal audit provides assurance that management processes are adequate to identify 
and monitor significant risks 

The internal audit function’s evaluation must examine the techniques used to identify risk. 
The categories and the scope of risk assessments should be considered. The 
methodologies used to extract risk information must be reviewed. A consensus view of the 
Municipality’s risk profile should be apparent. Monitoring processes should be wholly 
aligned with the results of risk assessments. 

The internal audit function should particularly seek evidence that the processes of risk- 
identification are dynamic and continuous, rather that attempts to comply with governance 
expectations. 

A.5.3 The outputs of risk assessment are used to direct the internal audit plans 

Internal audit plans depend greatly on the outputs of risk assessments. Risks identified 
from risk assessment must be incorporated into internal audit plans according to 
management and Audit Committee priorities. The risk assessment process is useful for 
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internal audit staff because it provides the necessary priorities regarding risk as opposed 
using standardised audit sheets. 

The audit activities will focus on adherence to controls for the key risks that have been 
identified. In addition, internal audit staff may direct management towards the need for 
better controls around key risks. 

A.5.4 Internal Audit provides an evaluation of risk management process 

The internal auditors must verify that risk reports are credible and offer a balanced 
assessment of risks. It is vital that an enterprise- wide view of risk management is adopted 
by the municipality, and the Internal Audit will examine this. 

The reliability of risk information, particularly the function regarding controls, should be 
scrutinised by the Internal Audit Function. 

The Internal Audit Function should work with specialist providers of assurance where 
necessary. 

A.5.5 Internal audit provides objective confirmation that the Council and Municipal Manager 
receives the right quality of assurance and reliable information from management 
regarding risk 

The Internal Audit Function plays a key role in coordinating the key players in the risk 
management process to provide assurance to the Municipal Manager. 

The Internal Auditor is not normally the only provider of assurance. 

The function does, however, have an important role in evaluating the effectiveness of 
control systems. 

The process of assurance must of necessity involve the council, the Audit Committee, 
Municipal Manager, Management, External Auditors, Regulators and the Internal Audit 
Function. 

A.6 Common Language 

Given that the enterprise risk management process will strive to integrate various 
participants and specialists from disparate risk professionals, it is vital that the process 
does not confuse all concerned by using disjointed terminology. 
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Frequently used risk management terminology should be defined in such a way that it 
ensures different disciplines have a common interpretation of the terminology in question. 
(The secret is to keep it simple) 

9. APPENDIX B- RATING TABLES 


Qualitative assessment of potential impact taking current controls into consideration 

The following table is to be used to assist management in quantifying the potential that a risk 
exposure may have on the municipality 


Score 

Title 

Description 


Catastrophic/ 

fundamental 

Disaster with the potential to significantly harm the business and 

is fundamental to the non-achievement of objectives. 

4 

Critical 

Critical event which can be endured but which may have a 

prolonged negative impact and extensive consequences. 

3 

Serious 

Major events which can be managed but requires additional 

resources and management effort. 

2 

Significant 

Event which can be managed under normal operating conditions. 

1 

Minor 

Not worth worrying about. 


Qualitative assessment of probability of occurrence taking current controls into 
consideration 

The table below is to be used to assist management in quantifying the probability of specific 
risk occurring. 


Score 

Title 

Description 


Almost 

Certain 

The event is expected to occur in most circumstances. 

4 

Likely 

The event will probably occur in most circumstances. 

3 

Moderate 

The event should occur at some time. 

2 

Unlikely 

The event could occur at some time. 

1 

Rare 

The event may occur in exceptional circumstances. 


Residual risk exposure 

Residual risk is the product of impact and likelihood. The risk appetite for organisation level 
residual risk is as follows 
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Score 

Title 

Description 


Unacceptable/ 

Take action to reduce risk with highest priority, accounting 


High 

officer and executive authority attention 

From 8 to 12 

Cautionary/ 

Medium 

Take action to reduce risk, inform senior management 

From 1 to 7 

Acceptable/Low 

No risk reduction- control, monitor, inform management 


1 0. APPENDIX C- RISK CATEGORIES 

The following are some of the risk categories: 


Processes 

■ Asset management 

■ Budgeting and reporting 

■ Revenue management 

■ Expenditure management including payments 

■ Supply chain management. 

■ Infrastructure and services 

■ Information technology. 

■ Security and auxiliary services 

■ Health and community services 

■ Social services 

■ Housing 

■ Disaster management and fire services. 

■ Corporate services (human resources and administration). 

■ LED. 

■ Environmental management 

■ Communications. 

■ Regulatory/ statutory requirements (legal). 

■ Local community and local municipal stakeholders (public participation). 


13. This policy has been approved by the Municipality in terms of Council resolution .. 
dated and takes effect on the effective date of the first valuation roll on 1 July 2014 

. Approved by 

Mayor 


Municipal Manager 


Date 


Mhlontio- Risk Management Policy 


32 


Mhlontio- Risk Management Policy 


33 



